[BUG] Too many false positives ins "CRLF Injection"

[Hipapheralkus]

Current behavior

A the moment, this BCheck does not take into account that searched value can be occuring in header values, which introduces many false positives as new header is not injected per-se.
For example:

HTTP/2 302 Found
Date: Wed, 06 Mar 2024 08:49:00 GMT
Content-Length: 0
Location: https://127.0.0.1/login/login?redirectAfterLogin=https://127.0.0.1/listview.jsp%0d%0aX-TEST-Header:%20a4k9m24nsdqmq%0d%0a%3FlogicQuery%3Dfalse
X-Xss-Protection: 1; mode=block

This will trigger CRLF Injection, hence it has too many false positives since it simply searches for string in all headers, not only in header names.
I think this BCheck line should be tuned a little:
if "x-test-header" in {to_lower({crlf.response.headers})} then

Expected behavior

It should check if a new header exists with the name + value; not all headers for this string.

Motivation for change

Too many false positive issues on some environments.

[Hannah-PortSwigger]

Hi @Hipapheralkus, we've made some adjustments to the script in the linked pull request. Please let us know if you still experience too many false positives with the updated script.